A recent update of the FTC’s COPPA compliance plan for businesses focuses on internet-connected toys and devices aimed at children; FBI issues a Public Service Announcement with a similar focus.

In recent weeks—and just in time for the back-to-school season—both the Federal Trade Commission (FTC) and the Federal Bureau of Investigation (FBI) have made clear that they are focused on kids’ privacy, particularly as it relates to internet-connected or “smart” toys and other devices directed at children. The FTC recently updated its six-step compliance plan for businesses to comply with the Children’s Online Privacy Protection Act (COPPA). Similarly, the FBI released a Public Service Announcement about the dangers of internet-connected toys and other kids’ devices.

Background

COPPA prohibits unfair or deceptive acts and practices in connection with the collection, use, and/or disclosure of personal information on the internet from and/or about children. COPPA is one of the strictest privacy statutes in the world, and even has been touted as a model by European and other regulators in jurisdictions known for more rigid privacy laws than are typically found in the United States. COPPA applies to websites or other online services such as mobile apps that collect personal information from children under the age of 13.

Among other requirements, the FTC’s rules implementing COPPA require

direct notice to a parent about a company’s personal information practices;

·verifiable parental consent before any collection, use, and/or disclosure of personal information of children under the age of 13;

a means for parents to review such information and prevent its further use;

a conspicuously posted privacy policy that clearly and comprehensively describes how personal information collected online from children under 13 is handled;

a prohibition on conditioning children’s game participation, prize eligibility, or other activities on children disclosing more personal information than is reasonably necessary for such participation; and

steps to protect the confidentiality, security, and integrity of such collected information.

Updated COPPA Compliance Plan

The “Hello Barbie” doll sparked national attention around connected toys and children’s privacy after a class action lawsuit alleged that Mattel recorded children’s conversations with the doll without parental consent. In response to such developing technology—particularly “smart” toys like Hello Barbie that are directed at children—the FTC updated its six-step COPPA compliance plan for businesses (Compliance Plan). The updated Compliance Plan addresses two key changes: (1) New internet-connected products for children and (2) new methods to secure verifiable parental consent.

Internet-Connected Toys or Other Internet of Things Devices

The updated Compliance Plan makes clear that any company providing “connected toys or other Internet of Things devices” are covered by COPPA—falling within COPPA’s definition of a “website or online service.” The Compliance Plan also covers new ways of collecting information such as voice-activated devices that collect personal data from children.

Updates to Verifiable Parental Consent: Data Collection Methods

The Compliance Plan now includes the following two additional ways that companies can obtain verifiable parental consent:

Having the parent answer a series of knowledge-based authentication questions that would be challenging for someone other than the parent to answer

Verifying a picture of a driver’s license or other photo identification submitted by the parent and comparing that photo to a second photo using facial recognition technology

FBI Also Focuses on Internet-Connected Toys

Emphasizing that the challenges related to internet-connected toys are more than theoretical, last week, the FBI took the unusual step of issuing a Public Service Announcement warning consumers about privacy risks associated with internet-connected toys.

The FBI warning encourages consumers to “consider cyber security prior to introducing smart, interactive, internet-connected toys into [] homes or trusted environments” and “examine toy company user agreement disclosures and privacy practices, and know where [your] family’s personal data is sent and stored, including if it’s sent to third-party services.”

The FBI identifies COPPA as the consumer law protecting children and provides a number of recommendations for consumers to protect themselves when using “smart” toys such as researching toys’ internet and device connection and security measures (including whether the toys can receive firmware and/or software updates and security patches) as well as carefully reading disclosures and privacy policies.

Practical Implications

Companies that have a significant consumer base among kids under 13 and that offer internet-connected toys or devices should carefully review company operations and advertising programs in response to the updated Compliance Plan. COPPA is vigorously enforced by the FTC and state attorneys general, and the added attention in these areas will only increase the level of scrutiny for companies.

In addition, when the new European General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, any organization targeting the European consumer market will need to consider the obligation of “privacy by design” as well as provide a privacy notice to any individual whose data is collected through smart toys or internet-connected devices. Consent from a parent or guardian also will be required to process a child's personal data. The GDPR states that, if consent is the basis for processing a child’s personal data, a child under the age of 16 cannot give such consent and, instead, consent is required from a person holding “parental responsibility”—but note that the GDPR does permit EU member states to provide for a lower age in law, as long as it is not below 13.

The updates from the FTC and FBI—as well as the continued focus on these issues in the European market—highlight the risks and challenges around kids’ privacy, and can serve as an opportune reminder for companies to revisit policies, processes, and procedures to ensure full compliance in this area.

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com intended to be a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional. NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us.

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558 Telephone (708) 357-3317 If you would ike to contact us via email please click here.